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Attacks Overview 


@ We propose Fast Featuremap Loss PGD(FFL- 
PGD) untargeted attack based on Substitution 
model ‚which achieve a high evasion rate with a 
very limited number of queries. 

® Instead of millions of queries in previous studies, 
our method find the adversarial examples using 
average only one or two of queries. 


White-box Attack is Easy 
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The attacker knows the and 
‚and has to model input 


Black-box Attack is Difficult 


Unknown parameters 
Unknown network structure 


— Unknown Model 


The attacker can unlimited access to model input 


Attack Cloud-based 
Image Classifier Service is More 
Difficult ! Unknown parameters 


resize,crop,blur,... Unknown network structure 
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Preprocessing 


The attacker can only access to model input with 
unknown preprocessing and limited queries 


Keeping model in cloud provides a 
of security | 
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Steps of Our Attack 


Step1:Substitute Model Training 


Step2:Adversarial Sample Crafting Step 2 


Substitute Model Training(1) 


We can DNNs which 
pretrained on ImageNet 
as our substitute 
model. 
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Substitute Model Training(2) 


e We simplify untargeted attack into binary 
classification problem :Cat or not? 

e We fix the parameters of the feature layer and 
train only the full connection layer of the last 
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Substitute Model Training(3) 
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Adversarial Sample Crafting(1) 


We propose Fast Featuremap Loss PGD attack which 
has a novel loss function to improve the success rate 
of transfer attack. 

The loss function L is defined as: 


L = class_loss + B x FeatureMaps_loss 


Adversarial Sample Crafting(2) 


Class Loss makes the result of classification wrong 
FeatureMap Loss which is the output of the last 
convolution layer of the substitute model, 
represents the highest level of semantic features of 
the convolution layer and improves transferability 
of adversarial sample 


Adversarial Sample Crafting(3) 


Illustration of cat recognition, the first convolution layer 
mainly recognizes such as edges and 
lines. In the last convolution layer, it recognizes 

such as eyes and nose. 


Adversarial Sample Crafting(4) 


We assume the original input is O, the adversarial 
example is ADV , and the featuremap loss is: 


FeatureMap_loss(ADV, O) = ||L,(ADV) — L„(O)||a 


Datasets and Preprocessing(1) 


100 cat images and 100 other animal images 
are selected from the ImageNet val set. 
Images are clipped to the size of 224x224x3 
Image format is RGB 


Datasets and Preprocessing(2) 


We use these 100 images of cats as original images to 
generate adversarial examples and make a black-box 
untargeted attack against real-world cloud-based image 
classification services . 

We count the number of top-1 misclassification to 
calculate the escape rate. 


Attack Evaluation 


We choose ResNet-152 as our substitute model 
We launche PGD and FFL-PGD attacks against our 
substitute model to generate adversarial 
examples. 

We compare FFL-PGD with PDG and ensemble- 
model attack, which are considered to have good 
transferability . 


Attack Evaluation:Escape Rates 
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We increase step size € from 1 to 8, the figure 
records the escape rates of PGD and FFL-PGD than PGD 
attacks 


Attack Evaluation:PSNR 


PGD has a higher 
PSNR ‚which is 


a considered as better 

za image quality .But both of 
: | them higher than 20dB 
when € from 1 to 8, which 


means both of them are 
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and FFL-PGD attacks image quality. 


Attack Evaluation:SSIM 


FFL-PGD has a higher 
SSIM ‚which is 

| | | | considered as better 
image similarity 
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The figure records the SSIM of 
PGD and FFL-PGD attacks 
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Attack Evaluation: Ensemble-model 
Ensemble-model 
ResNet attack a lot of DNNs 
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Attack Evaluation: Ensemble-model 
attack 
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the pre-processing of 
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The figure records the escape rate 
of ensemble-model attack 


Conclusion 


Keeping model in cloud provides a FALSE sense of 
security 

Our FFL-PGD attack have a success rate over 90% 
among different cloud-based image classification 
services using only two queries per image 


